-
Notifications
You must be signed in to change notification settings - Fork 343
v0.7 Release Blog
KubeArmor is increasingly deployed in near-edge and far-edge scenarios for enhanching security for IoT/Edge aspects. KubeArmor has added support to handle the characteristics of edge scenarios such as:
- Support for heterogenous platforms (most of the edge is deployed on ARM, Intel). KubeArmor also ensures that the same policy enforcement techniques are delivered across different linux kernel versions. It does this by abstracting the policy layer from the enforcement layer and the enforcement layer uses the techniques that are available in the context of the deployed worker node.
- Edge devices are constrained in terms of CPU and memory availability. The overall resource usage on KubeArmor has been drastically reduced. This has not only helped edge scenarios but cloud based deployments as well.
- KubeArmor supports the philosophy of "Do not assume always-on connectivity with the cloud platform".
Recently KubeArmor finished its integration with LFEdge Open Horizon. KubeArmor is also now listed on Intel SmartEdge Marketplace. Intel® Smart Edge is a Kubernetes-based, edge computing platform for deploying edge networks and delivering multi-access edge computing (MEC) for applications, containers, and virtual machines.
- RPI - Both as a systemd service and on k8s
- ARM VM
- Apple Macbook M1 laptops
KubeArmor currently applies policy at the pod level i.e. in the KubeArmorPolicy
you specify the selector labels which selects a set of pods across the cluster. However, a single pod may contain multiple containers and each container usually has a very different purpose and the set of binaries or file paths may vary across multiple containers within the pod.
This release adds support to apply the policies at specific container level by extending the selector label policy construct. Following is an instantiation of this construct:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-ls-at-container-1
namespace: wordpress-mysql
spec:
severity: 2
selector:
matchLabels:
app: wordpress
kubearmor.io/container.name: "[container-1]"
process:
matchPaths:
- path: /bin/ls
action:
Block
Note the use of kubearmor.io/container.name: "[container-1]"
construct as part of the selector labels that allows kubearmor to select specific container(s) within the pod.
The file system paths and binaries present in different containers might be completely different. Without this feature, the block of a process operation in one container would also be blocked in other containers. The discovery-engine automatically discovers the security posture of the k8s application discovers what operations should be allowed. These operations are container specific and should be restricted to specific containers. Thus without the ability to specify container specific rules, there are chances that either the security posture is too generic (in the case of allow based policies) or too restrictive (in the case of block based policies).
Specifying container specific labels are optional i.e., if the container information is not specified then the previous way of applying the policies at pod level is retained.
...
...
KubeArmor already had a community driven curated list of System and Network policy templates at policy-template repository.
With the templates, it was upto the user to change values like namespace
labels
etc to make sure that the policies are actually enforcing on their cluster.
With the new kArmor recommend
it is made sure that the user doesn't have to change anything on the policy but rather simply apply them to get a secure environment for the Kubernetes deployments.
kArmor recommend
recommends policies based on container image, k8s manifest or the actual runtime environment itself.
karmor recommend --help
Recommend policies based on container image, k8s manifest or the actual runtime env
Usage:
karmor recommend [flags]
karmor recommend [command]
Available Commands:
update Updates policy-template cache
Flags:
-c, --config string absolute path to image registry configuration file
-h, --help help for recommend
-i, --image strings Container image list (comma separated)
-l, --labels strings User defined labels for policy (comma separated)
-n, --namespace string User defined namespace value for policies
-o, --outdir string output folder to write policies (default "out")
-r, --report string report file (default "report.txt")
-t, --tag strings tags (comma-separated) to apply. Eg. PCI-DSS, MITRE
Global Flags:
--context string Name of the kubeconfig context to use
--kubeconfig string Path to the kubeconfig file to use
Use "karmor recommend [command] --help" for more information about a command.
The kArmor recommend update
fetches the latest release of policy-templates and saves them locally. These policies are later recommended to the user according to the identified os distribution and preconditions.
karmor recommend update
INFO[0008] policy-templates updated Current Version=v0.1.4
You can get recommendation for an image or your kubernetes deployments.
kArmor recommend
with --namespace
flag will generate security policies for your active cluster if there is atleast one deployment in the namespace.
karmor recommend --namespace wordpress-mysql
INFO[0005] pulling image image="mysql:5.6"
5.6: Pulling from library/mysql
Digest: sha256:20575ecebe6216036d25dab5903808211f1e9ba63dc7825ac20cb975e34cfcae
Status: Image is up to date for mysql:5.6
INFO[0012] dumped image to tar tar=/tmp/karmor877338619/eCAIymyP.tar
Distribution debian
INFO[0013] No runtime policy generated for wordpress-mysql/mysql/mysql:5.6
created policy out/wordpress-mysql-mysql/mysql-5-6-cis-mysql-1-2.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-audit-access-to-mysqldump.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-maintenance-tool-access.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-cert-access.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-system-owner-discovery.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-least-functionality-execute-package-management-process-in-container.yaml ...
INFO[0014] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0024] dumped image to tar tar=/tmp/karmor615747835/DDgLodyj.tar
Distribution debian
INFO[0026] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in out/report.txt ...
The recommendation can be further filtered down using the flag --labels
. With this the user can input an array of labels belonging to deployments which needs policy recommendation.
karmor recommend --namespace wordpress-mysql --labels app=wordpress
INFO[0000] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0015] dumped image to tar tar=/tmp/karmor4070582578/GwoIiuRV.tar
Distribution debian
INFO[0018] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in out/report.txt ...
Policy recommendation can also be used on docker images using karmor recommend
. The --images
flag lets the user to get recommendation for any docker images.
karmor recommend --image ubuntu:latest
INFO[0000] pulling image image="ubuntu:latest"
latest: Pulling from library/ubuntu
Digest: sha256:4b1d0c4a2d2aaf63b37111f34eb9fa89fa1bf53dd6e4ca954d47caebca4005c2
Status: Image is up to date for ubuntu:latest
INFO[0010] dumped image to tar tar=/tmp/karmor4157088184/DRHNcyic.tar
Distribution ubuntu
INFO[0011] No runtime policy generated for //ubuntu:latest
created policy out/ubuntu-latest/maintenance-tool-access.yaml ...
created policy out/ubuntu-latest/system-owner-discovery.yaml ...
created policy out/ubuntu-latest/system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/ubuntu-latest/least-functionality-execute-package-management-process-in-container.yaml ...
output report in out/report.txt ...
karmor recommend
is also equipped with 2 reporting features: text and html. The text based reporting is enabled by default and creates a report.txt
file under the default output directory out
. Both the directory and report file can be customized using --outdir
and --report
flags respectively.
karmor recommend --namespace wordpress-mysql --labels app=wordpress --outdir wordpress-out
INFO[0000] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0020] dumped image to tar tar=/tmp/karmor1901668123/uFSqMXLS.tar
Distribution debian
INFO[0022] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in wordpress-out/report.txt ...
Deployment | wordpress-mysql/wordpress
Container | wordpress:4.8-apache
OS | linux
Arch | amd64
Distro | debian
Output Directory | wordpress-out/wordpress-mysql-wordpress
policy-template version | v0.1.4
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-maintenance- | Restrict access to maintenance | 1 | Audit | PCI_DSS,MITRE |
| tool-access.yaml | tools (apk, mii-tool, ...) | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-cert- | Restrict access to trusted | 1 | Block | MITRE,MITRE_T1552_unsecured_credentials |
| access.yaml | certificated bundles in the OS | | | |
| | image | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-system-owner- | System Information Discovery | 3 | Block | MITRE,MITRE_T1082_system_information_discovery |
| discovery.yaml | - block system owner discovery | | | |
| | commands | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-system- | System and Information | 5 | Block | NIST,MITRE,NIST_800-53_AU-2,NIST_800-53_SI-4,MITRE_T1036_masquerading |
| monitoring-deny-write-under-bin- | Integrity - System Monitoring | | | |
| directory.yaml | make directory under /bin/ | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-system- | System and Information | 5 | Audit | NIST,MITRE,NIST_800-53_AU-2,NIST_800-53_SI-4,MITRE_T1036_masquerading |
| monitoring-write-under-dev- | Integrity - System Monitoring | | | |
| directory.yaml | make files under /dev/ | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-least- | System and Information | 5 | Block | SI-4,NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,process |
| functionality-execute-package- | Integrity - Least | | | |
| management-process-in- | Functionality deny execution | | | |
| container.yaml | of package manager process in | | | |
| | container | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
The html
reporting will generate an html page with the all the important information.
karmor recommend --namespace wordpress-mysql --labels app=wordpress --outdir wordpress-out --report wordpress.html
INFO[0000] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0015] dumped image to tar tar=/tmp/karmor3128023835/TFNSLVYA.tar
Distribution debian
INFO[0017] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in wordpress-out/wordpress.html ...
...
...
- Fix AppArmor policies behavior https://github.com/kubearmor/KubeArmor/issues/954
- Discovery engine fixes
- Relative paths
- Refreshed
karmor summary
output - Improved discovered policies rules to include all necessary paths
- Data race conditions https://github.com/kubearmor/KubeArmor/issues/842